From owner-cvs-src@FreeBSD.ORG Tue Oct 12 17:40:25 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADF7116A4CE; Tue, 12 Oct 2004 17:40:25 +0000 (GMT) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id E073443D41; Tue, 12 Oct 2004 17:40:24 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id i9CHeMaV032232 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Oct 2004 21:40:23 +0400 (MSD) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id i9CHeM6h032231; Tue, 12 Oct 2004 21:40:22 +0400 (MSD) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Tue, 12 Oct 2004 21:40:22 +0400 From: Gleb Smirnoff To: Robert Watson Message-ID: <20041012174022.GE31707@cell.sick.ru> References: <200410121647.i9CGlPBw027133@repoman.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200410121647.i9CGlPBw027133@repoman.freebsd.org> User-Agent: Mutt/1.5.6i cc: cvs-src@freebsd.org cc: src-committers@freebsd.org cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet raw_ip.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Oct 2004 17:40:25 -0000 Thank you! On Tue, Oct 12, 2004 at 04:47:25PM +0000, Robert Watson wrote: R> rwatson 2004-10-12 16:47:25 UTC R> R> FreeBSD src repository R> R> Modified files: R> sys/netinet raw_ip.c R> Log: R> When the access control on creating raw sockets was modified so that R> processes in jail could create raw sockets, additional access control R> checks were added to raw IP sockets to limit the ways in which those R> sockets could be used. Specifically, only the socket option IP_HDRINCL R> was permitted in rip_ctloutput(). Other socket options were protected R> by a call to suser(). This change was required to prevent processes R> in a Jail from modifying system properties such as multicast routing R> and firewall rule sets. R> R> However, it also introduced a regression: processes that create a raw R> socket with root privilege, but then downgraded credential (i.e., a R> daemon giving up root, or a setuid process switching back to the real R> uid) could no longer issue other unprivileged generic IP socket option R> operations, such as IP_TOS, IP_TTL, and the multicast group membership R> options, which prevented multicast routing daemons (and some other R> tools) from operating correctly. R> R> This change pushes the access control decision down to the granularity R> of individual socket options, rather than all socket options, on raw R> IP sockets. When rip_ctloutput() doesn't implement an option, it will R> now pass the request directly to in_control() without an access R> control check. This should restore the functionality of the generic R> IP socket options for raw sockets in the above-described scenarios, R> which may be confirmed with the ipsockopt regression test. R> R> RELENG_5 candidate. R> R> Reviewed by: csjp R> R> Revision Changes Path R> 1.145 +41 -20 src/sys/netinet/raw_ip.c -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE